The U.S. State Department's years-long review of former Secretary Hillary Clinton's use of a private email server found that although 38 current or former department officials violated government security policies, there was no "persuasive evidence of systemic, deliberate mishandling of classified information."

The report found that Clinton's use of the server added an "increased degree of risk of compromise." But it also notes: "While there were some instances of classified information being inappropriately introduced into an unclassified system in furtherance of expedience, by and large, the individuals interviewed were aware of security policies and did their best to implement them in their operations."

The unclassified Oct. 16 State Department report was released by Sen. Chuck Grassley, R-Iowa, on Friday. The report found that the 38 current and former State Department employees were responsible for about 90 violations of department security protocols.

None of those State Department employees were named in the report. The investigation also found nearly 500 other security violations, but investigators could not connect those to specific individuals.

Those former or current employees who violated State Department security protocols, could face difficulty in obtaining or renewing a government security clearance, according to the Associated Press. In addition, employees still working for the State Department could face some type of internal disciplinary action, the AP reports.

Clinton's use of a personal server for some of her email produced a significant political backlash, including an FBI investigation. President Donald Trump also used the incident to attack Clinton's integrity and judgment during the 2016 presidential election (see: Clinton, Trump Tackle Cybersecurity in Debate).

Clinton Reaction

After the report was released Friday, Nick Merrill, a spokesperson for Clinton, posted a response on Twitter, calling the investigation another "pointless crusade" against the former secretary of state, senator and presidential candidate.

For the umpteenth time the email story is put to bed w/ a clear recognition it was a pointless crusade that took away from so many other issues we should have been discussing in '16. Let's not make this mistake again w/ whatever baseless crap is manufactured for our 2020 nominee. pic.twitter.com/y5Px7LeH87

But in a statement, Grassley, who has been investigating Clinton's use of a private server for years, notes that the State Department investigation "concluded that Clinton's use of a personal email server to conduct official business increased the risk of unauthorized disclosures and security compromises."

Increased Risks

The State Department report finds that the use of the server increased the risk that classified data could have been transferred to a nonclassified system because the "private system lacks the network monitoring and intrusion detection capabilities of State Department networks."

The use of the private server also increased the risk of an inadvertent release of classified data, the report notes.

"While the use of a private email system itself did not necessarily increase the likelihood of classified information being transmitted on unclassified systems, those incidents which then resulted in the presence of classified information upon it carried an increased risk of compromise or inadvertent disclosure," the report adds.

In the end, however, the report did not find pervasive evidence that State Department officials misused the private server or deliberately accessed or transmitted classified documents, the report concludes.

"Instances of classified information being deliberately transmitted via unclassified email were the rare exception and resulted in adjudicated security violations," the report notes.

Scope of Investigation

In December 2014, Clinton and her team first turned over more than 30,000 emails from her private server, which started the review to determine if these messages contained any classified information, according to the report.

That part of the investigation continued for over a year until March 8, 2016, when the FBI stopped the State Department investigation and began its own review, the report's timeline notes.

In July of 2016, the FBI finished its investigation, which led to former FBI Director James Comey holding a press conference where he criticized Clinton's use of the private email server as secretary of state as "extremely careless" but said the FBI would not recommend charges. Another Justice Department Inspector General's report found no evidence that the server itself was hacked.

After the FBI finished its investigation, the State Department returned to its investigation in July 2016, which then took another three years to complete, the report notes.

State Department investigators note that it took months to sort through all the emails, remove duplicates and determine if any of the material mentioned classified information. Additionally, the investigation "involved thousands of person-hours of review and investigative effort, including gathering statements from hundreds of past and present [State Department] employees and conducting dozens of interviews," the report notes.

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.